Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/undo-ransomware/ransomware_detection.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Held <ilovemilk@wusa.io>2018-09-07 18:49:46 +0300
committerMatthias Held <ilovemilk@wusa.io>2018-09-07 18:49:46 +0300
commit308547acb69f452d5a1423285d2b8c007f477fea (patch)
tree28b8b4fdb28c19473e1ca882ee7d7090947b0ec3
parentba88b8210ab98ae35fcbf3ff950afe552286c815 (diff)
Reduce file suspicion levels to 3
Diffstat
-rw-r--r--lib/Analyzer/SequenceAnalyzer.php7
-rw-r--r--lib/Classifier.php16
-rw-r--r--tests/Unit/Analyzer/SequenceAnalyzerTest.php10
-rw-r--r--tests/Unit/ClassifierTest.php42
-rw-r--r--tests/Unit/Controller/ScanControllerTest.php2
-rw-r--r--tests/Unit/Db/FileOperationTest.php6
6 files changed, 37 insertions, 46 deletions
diff --git a/lib/Analyzer/SequenceAnalyzer.php b/lib/Analyzer/SequenceAnalyzer.php
index 219220c..6677ac9 100644
--- a/lib/Analyzer/SequenceAnalyzer.php
+++ b/lib/Analyzer/SequenceAnalyzer.php
@@ -122,15 +122,12 @@ class SequenceAnalyzer
break;
}
switch ($file->getSuspicionClass()) {
- case Classifier::HIGH_LEVEL_OF_SUSPICION:
+ case Classifier::SUSPICIOUS:
$highSuspicionFiles[] = $file;
break;
- case Classifier::MIDDLE_LEVEL_OF_SUSPICION:
+ case Classifier::MAYBE_SUSPICIOUS:
$middleSuspicionFiles[] = $file;
break;
- case Classifier::LOW_LEVEL_OF_SUSPICION:
- $lowSuspicionFiles[] = $file;
- break;
case Classifier::NOT_SUSPICIOUS:
$noSuspicionFiles[] = $file;
break;
diff --git a/lib/Classifier.php b/lib/Classifier.php
index 2441b14..b040395 100644
--- a/lib/Classifier.php
+++ b/lib/Classifier.php
@@ -34,10 +34,8 @@ class Classifier
*
* @var int
*/
- const HIGH_LEVEL_OF_SUSPICION = 1;
- const MIDDLE_LEVEL_OF_SUSPICION = 2;
- // deprecated will be removed
- const LOW_LEVEL_OF_SUSPICION = 3;
+ const SUSPICIOUS = 1;
+ const MAYBE_SUSPICIOUS = 2;
const NOT_SUSPICIOUS = 4;
const NO_INFORMATION = 5;
@@ -82,17 +80,13 @@ class Classifier
) {
if ($file->getFileClass() === EntropyResult::ENCRYPTED) {
if ($file->getFileExtensionClass() === FileExtensionResult::SUSPICIOUS) {
- $file->setSuspicionClass(self::HIGH_LEVEL_OF_SUSPICION);
- } elseif ($file->getFileExtensionClass() > FileExtensionResult::NOT_SUSPICIOUS) {
- $file->setSuspicionClass(self::MIDDLE_LEVEL_OF_SUSPICION);
+ $file->setSuspicionClass(self::SUSPICIOUS);
} else {
- $file->setSuspicionClass(self::NOT_SUSPICIOUS);
+ $file->setSuspicionClass(self::MAYBE_SUSPICIOUS);
}
} elseif ($file->getFileClass() === EntropyResult::COMPRESSED) {
if ($file->getFileExtensionClass() === FileExtensionResult::SUSPICIOUS) {
- $file->setSuspicionClass(self::MIDDLE_LEVEL_OF_SUSPICION);
- } elseif ($file->getFileExtensionClass() > FileExtensionResult::NOT_SUSPICIOUS) {
- $file->setSuspicionClass(self::LOW_LEVEL_OF_SUSPICION);
+ $file->setSuspicionClass(self::MAYBE_SUSPICIOUS);
} else {
$file->setSuspicionClass(self::NOT_SUSPICIOUS);
}
diff --git a/tests/Unit/Analyzer/SequenceAnalyzerTest.php b/tests/Unit/Analyzer/SequenceAnalyzerTest.php
index 892134c..595a532 100644
--- a/tests/Unit/Analyzer/SequenceAnalyzerTest.php
+++ b/tests/Unit/Analyzer/SequenceAnalyzerTest.php
@@ -62,28 +62,28 @@ class SequenceAnalyzerTest extends TestCase
$fileOperation1->setOriginalName('test.csv');
$fileOperation1->setSize(123000);
$fileOperation1->setType('file');
- $fileOperation1->setSuspicionClass(Classifier::HIGH_LEVEL_OF_SUSPICION);
+ $fileOperation1->setSuspicionClass(Classifier::SUSPICIOUS);
$fileOperation2 = new FileOperation();
$fileOperation2->setCommand(Monitor::DELETE);
$fileOperation2->setOriginalName('test.csv');
$fileOperation2->setSize(123000);
$fileOperation2->setType('file');
- $fileOperation2->setSuspicionClass(Classifier::HIGH_LEVEL_OF_SUSPICION);
+ $fileOperation2->setSuspicionClass(Classifier::SUSPICIOUS);
$fileOperation3 = new FileOperation();
$fileOperation3->setCommand(Monitor::WRITE);
$fileOperation3->setOriginalName('test.csv');
$fileOperation3->setSize(123000);
$fileOperation3->setType('file');
- $fileOperation3->setSuspicionClass(Classifier::MIDDLE_LEVEL_OF_SUSPICION);
+ $fileOperation3->setSuspicionClass(Classifier::MAYBE_SUSPICIOUS);
$fileOperation4 = new FileOperation();
$fileOperation4->setCommand(Monitor::WRITE);
$fileOperation4->setOriginalName('test.csv');
$fileOperation4->setSize(123000);
$fileOperation4->setType('file');
- $fileOperation4->setSuspicionClass(Classifier::LOW_LEVEL_OF_SUSPICION);
+ $fileOperation4->setSuspicionClass(Classifier::NOT_SUSPICIOUS);
$fileOperation5 = new FileOperation();
$fileOperation5->setCommand(Monitor::WRITE);
@@ -123,7 +123,7 @@ class SequenceAnalyzerTest extends TestCase
['sequence' => [$fileOperationRename], 'suspicionScore' => 0],
['sequence' => [$fileOperationUnknown], 'suspicionScore' => 0],
['sequence' => [$fileOperation3], 'suspicionScore' => 0.75],
- ['sequence' => [$fileOperation4], 'suspicionScore' => 0.5],
+ ['sequence' => [$fileOperation4], 'suspicionScore' => 0],
['sequence' => [$fileOperation5], 'suspicionScore' => 0],
['sequence' => [$fileOperation6], 'suspicionScore' => 0],
];
diff --git a/tests/Unit/ClassifierTest.php b/tests/Unit/ClassifierTest.php
index 43b9dcd..aba5c87 100644
--- a/tests/Unit/ClassifierTest.php
+++ b/tests/Unit/ClassifierTest.php
@@ -59,14 +59,14 @@ class ClassifierTest extends TestCase
public function dataClassifyFile()
{
return [
- ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS],
- ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION],
- ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION],
- ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION],
+ ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::MAYBE_SUSPICIOUS],
+ ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::SUSPICIOUS],
+ ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::SUSPICIOUS],
+ ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::SUSPICIOUS],
['command' => Monitor::WRITE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS],
- ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION],
- ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION],
- ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION],
+ ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MAYBE_SUSPICIOUS],
+ ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MAYBE_SUSPICIOUS],
+ ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MAYBE_SUSPICIOUS],
['command' => Monitor::WRITE, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS],
['command' => Monitor::WRITE, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS],
['command' => Monitor::READ, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION],
@@ -81,26 +81,26 @@ class ClassifierTest extends TestCase
['command' => Monitor::READ, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION],
['command' => Monitor::READ, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION],
['command' => Monitor::READ, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION],
- ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS],
- ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION],
- ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION],
- ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION],
+ ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::MAYBE_SUSPICIOUS],
+ ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::SUSPICIOUS],
+ ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::SUSPICIOUS],
+ ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::SUSPICIOUS],
['command' => Monitor::DELETE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS],
- ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION],
- ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION],
- ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION],
+ ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MAYBE_SUSPICIOUS],
+ ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MAYBE_SUSPICIOUS],
+ ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MAYBE_SUSPICIOUS],
['command' => Monitor::DELETE, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS],
['command' => Monitor::DELETE, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS],
['command' => Monitor::DELETE, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS],
['command' => Monitor::DELETE, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS],
- ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS],
- ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION],
- ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION],
- ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION],
+ ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::MAYBE_SUSPICIOUS],
+ ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::SUSPICIOUS],
+ ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::SUSPICIOUS],
+ ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::SUSPICIOUS],
['command' => Monitor::RENAME, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS],
- ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION],
- ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION],
- ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION],
+ ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MAYBE_SUSPICIOUS],
+ ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MAYBE_SUSPICIOUS],
+ ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MAYBE_SUSPICIOUS],
['command' => Monitor::RENAME, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS],
['command' => Monitor::RENAME, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS],
['command' => Monitor::RENAME, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS],
diff --git a/tests/Unit/Controller/ScanControllerTest.php b/tests/Unit/Controller/ScanControllerTest.php
index 6c971c3..a8b7bf2 100644
--- a/tests/Unit/Controller/ScanControllerTest.php
+++ b/tests/Unit/Controller/ScanControllerTest.php
@@ -233,7 +233,7 @@ class ScanControllerTest extends TestCase
$fileOperation1->setStandardDeviation(0.1);
$fileOperation1->setFileClass(EntropyResult::NORMAL);
$fileOperation1->setFileExtensionClass(FileExtensionResult::NOT_SUSPICIOUS);
- $fileOperation1->setSuspicionClass(Classifier::HIGH_LEVEL_OF_SUSPICION);
+ $fileOperation1->setSuspicionClass(Classifier::SUSPICIOUS);
$sequenceResult = new SequenceResult(1, 0.0, 1.1, 2.2, 4.5, []);
diff --git a/tests/Unit/Db/FileOperationTest.php b/tests/Unit/Db/FileOperationTest.php
index d5581cb..3befa4d 100644
--- a/tests/Unit/Db/FileOperationTest.php
+++ b/tests/Unit/Db/FileOperationTest.php
@@ -66,9 +66,9 @@ class FileOperationTest extends TestCase
['field' => 'fileExtensionClass', 'value' => FileExtensionResult::SUSPICIOUS],
['field' => 'suspicionClass', 'value' => Classifier::NO_INFORMATION],
['field' => 'suspicionClass', 'value' => Classifier::NOT_SUSPICIOUS],
- ['field' => 'suspicionClass', 'value' => Classifier::MIDDLE_LEVEL_OF_SUSPICION],
- ['field' => 'suspicionClass', 'value' => Classifier::LOW_LEVEL_OF_SUSPICION],
- ['field' => 'suspicionClass', 'value' => Classifier::HIGH_LEVEL_OF_SUSPICION],
+ ['field' => 'suspicionClass', 'value' => Classifier::MAYBE_SUSPICIOUS],
+ ['field' => 'suspicionClass', 'value' => Classifier::MAYBE_SUSPICIOUS],
+ ['field' => 'suspicionClass', 'value' => Classifier::SUSPICIOUS],
];
return $data;
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-10 01:18:22 +0300